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Abstract 

We propose a type system for a calculus of contracting processes. 
Processes may stipulate contracts, and then either behave honestly, 
by keeping the promises made, or not. Type safety guarantees 
that a typeable process is honest — that is, the process abides by 
the contract it has stipulated in all possible contexts, even those 
containing dishonest adversaries. 

Categories and Subject Descriptors D.2.4 [Software/program 
verification]: Formal Methods; D.3.1 [Programming Languages]: 
Formal Definitions and Theory; D.3.2 [Programming Languages]: 
Language Classifications — Concurrent, distributed, and parallel 
languages; F.3.1 [Logics and Meaning of Programs]: Specifying 
and Verifying and Reasoning about Programs; F.3.2 [Logics and 
Meaning of Programs]: Semantics of Programming Languages — 
Program analysis operational semantics; F.3.2 [Logics and Mean- 
ing of Programs]: Studies of Program Constructs — Type structure 

General Terms Languages, Security, Theory, Verification 

Keywords Behavioural types, contracts 

1. Introduction 

1.1 The problem 

It is commonplace that distributed applications are not easy to de- 
sign. Besides the intrinsic issues due e.g. to physical or logical dis- 
tribution, and to the fragility of communication networks and their 
low-level protocols, distributed applications have to be engineered 
within an apparent dichotomy. On the one hand, distributed com- 
ponents have to cooperate in order to achieve their goals and, on 
the other hand, they may have to compete, e.g. to acquire shared re- 
sources. This dichotomy is well represented by the service-oriented 
paradigm, which fosters the shift from "stand-alone" applications 
to dynamically composed ones. 

Cooperation and competition hardly coexist harmoniously. 
Most approaches to the formal specification of concurrent systems 
typically assume that components behave honestly, in that they al- 
ways adhere to some agreed specification. For instance, this could 
be some behavioural type inferred from the component, and the as- 
sumption is that the static behaviour safely over-approximates the 
dynamic one. We argue that this assumption is unrealistic in sce- 
narios where competition prevails against cooperation. Indeed, in 



a competitive scenario components may act selfishly, and diverge 
from the agreed specification. 

We envision a contract-oriented computing paradigm (3], for 
the design of distributed components which use contracts to dis- 
cipline their interaction. CO2 Q] is a core calculus for contract- 
oriented computing. A CO2 process may advertise contracts to 
some contract broker; once the broker has found a set of compli- 
ant contracts, a session is established among the processes which 
advertised them. Processes may then use this session to perform the 
actions needed to realise their contracts, similarly to other session- 
centric calculi. 

A distinguished feature of CO2 is that processes are not sup- 
posed to respect their contracts, nor they are bound to them by 
an enforcing mechanism. More realistically, dishonest processes 
may avoid to perform some actions they have promised in their 
contracts. This may happen either intentionally, e.g. a malicious 
process which tries to swindle the system, or unintentionally, e.g. 
because of some implementation bug (possibly exploited by some 
adversary). In both cases, the infrastructure can determine which 
process has caused the violation, and adequately punish it. 

A crucial problem is then how to guarantee that a process 
will behave honestly, in all possible contexts where it may be 
run. If such guarantee can be given, then the process is protected 
both against unintentional bugs, and against (apparently honest) 
adversaries which try to make it sanctioned. A negative result 
in 1 2] is that the problem of determining if a process is honest is 
undecidable for a relevant class of contracts. These are the contracts 
introduced in 1 10], and then refined in |11], for modelling WSDL 
and WSCL contracts. The problem is then how to find a computable 
approximation of honesty, which implies the dynamic one. 

1.2 Example 

Let us consider an on-line food store (participant A), which sells 
apples (a) and bottles of an expensive Italian Brunello wine (b). 
Selling apples is quite easy: once a customer places an order, it is 
accepted (with the feedback ok) and the store waits for payment 
(pay) before shipping the goods (ship-a). However, if the customer 
requests an expensive bottle of Brunello, the store reserves itself 
the right to choose whether to accept the order (and then wait for 
payment and ship the item, as above), or to decline it, by answering 
Tto to the customer. These intentions are modeled by the following 
store contract (using a simplified notation, see Ex. l2.2t : 
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c — a. ok. pay.ship-a + b. (no © ok.pay.ship-bj 

This contract features two kinds of branching operators: external 
choice +, and internal choice ©. External choice requires the other 
party (in this case, the customer) to choose which prefix will drive 
the contract evolution. The choice is between apples a and bottles 
b. Internal choice, instead, allows the advertising party (the store) 
to choose a branch, by selecting either ok or no. 



stiorl description of paper 



2012/11/13 



In order to sell its goods, the store needs to find an agree- 
ment with a participant advertising a compliant contract. Intu- 
itively, contract compliance is based on the duality of actions and 
internal/external choices. For instance, the store contract c is com- 
pliant with the following customer contract: 

d — h . (ok.pay.ship-b + no) 

A customer B who advertises such contract wants to buy Brunello 
wine: she promises to select b (dual of b in the store contract), and 
then presents an external choice that lets the store choose between 
ok or no feedbacks; in the first case, she promises to pay and wait 
for shipment. 

CO2 allows for describing the behaviour of each participant as 
a process, with the ability to advertise contracts and execute the 
actions required to honour them. For instance, the store A can 
advertise its contract c by firing the prefix: 

tellKia: C 

where the index K is the name of an external broker, whom the 
contract is being advertised to. We shall not specify the behaviour 
of K, and just assume that it establishes sessions when compliant 
contracts are found. The index x in ^xC is the name of a channel 
of A. When a session is established between A and (say) B, a 
fresh session name s is shared between A and B. Technically, x 
is replaced with s. Participants A and B will then use such session 
to perform the actions required by their contracts. 
A possible specification of the store process is e.g.: 

Pm = {x) {teWKU c . {dox a . Xm{x) + do^ b . Xm{x))) 

Xm{x) = doa: ok . doa; pay . aska; ship-a? . doa; ship-a 

Here, the store creates a private channel x, and advertises the 
contract c. Once a session is established, the process can proceed, 
and accept an order for a or b on x. This is modelled by the 
choice operator +, which is the usual one of CCS (not to be 
confused with + of contracts), with guards doa; a and doa; b. In both 
cases, the process Xm{x) is invoked. There, the store accepts the 
transaction with an ok action, and waits for payment. Then it checks 
whether the contract requires the store to ship apples: if the query 
aska; ship-a? passes, the goods are shipped. Otherwise, when the 
customer has selected Brunello, the store maliciously gets stuck, 
and so the customer has paid for nothing. This store is dishonest, 
because it does not respect its own contract c. 

Consider now a non-malicious implementation of the food 
store. Before accepting orders, the store requires an insurance pol- 
icy against shipment damages — which may be particularly useful 
for the expensive (and fragile) Brunello bottles. Thus, now A ad- 
vertises a contract Cp to an insurance company C with an offer to 
pay (payP), followed by the possibility to choose between getting 
a full coverage on the value of the goods, or cancelling the request: 

Cp = payP . (cover ® cancel) 
The behaviour of the store is now modelled by the process: 
Pn = {x,y) (telle iy Cp . doy payP . 

tell A ia: c . ( dOa: a . dOa, ok . Xn (x) 
+ do^b .YNix,y))) 
Xn{x) = dox pay . (aska: ship-a? . dOa; ship-a 

+ aska: ship-b? . dOa: ship-b) 
Yn(x, y) = dOy cover . (dOa: ok . Xn{x) + r.dOa:no) 

Here, the store first requests an insurance policy, by advertising the 
contract Cp; once the insurance company C agrees, the store pays 
the fee (on channel y). Then, just like the previous case, the store 



advertises c, and once an agreement with a customer is reached, 
it waits for a or b orders. If apples are requested, the process ac- 
knowledges (ok) and invokes Xm{x) ; there, the store waits for pay- 
ment, checks which good is expected to be shipped according to the 
contract, and actually ships it. Otherwise, if Brunello is requested, 
YM{x,y) is invoked: there, the store requests the insurance cov- 
erage that was paid in advance; then, either the order is accepted 
and Xn (x) is invoked for payment and shipment (as above), or the 
transaction is declined after an internal action r (e.g. wake up after 
a timeout). 

This implementation is not as malicious as the first attempt, be- 
cause at least it actually ships the goods upon payment — but it 
is not honest either. The problem lies in the interaction between 
the store and the other parties. If C does not deliver the promised 
cover, the store keeps waiting on do^ cover (which is a blocking 
operation), unable to honour c by providing the expected ok/rio. 
Furthermore, A is dishonest w.rt. Cp: the insurance fee is paid in 
advance, but A might never perform dOy cover nor dOy cancel — 
e.g. if no agreement on c is found, or if the customer B remains 
stuck, or if B simply chooses to buy apples. Thus, due to imple- 
mentation naiveties, A may be blamed because of the unexpected 
(or malicious) behaviour of other participants. 

An actually honest food store requires a slightly more complex 
implementation: 

Ph = (x) {te\\fi,U c . (dOa: a . Xh{x) + do^b. Yh{x))) 
Xh(x) = doa: ok . doa: pay . (aska: ship-a? . doa: ship-a 

+ aska: ship-b? . dOa: ship-b) 

Yh(x) = {y) (telle iy Cp . dOy payP 
(dOy cover . Xh {x) 
+ r . (dOa: no I dOy cancel))) 

This time, A advertises c and waits for a or b orders. If apples 
are requested, the store invokes Xh{x), which acknowledges ok 
and, just like Xn [x) above, waits for payment and ships the good 
expected by the contract. If Brunello is requested, then Yh{x) is 
invoked instead. There, a new private channel y is created, the store 
advertises Cp and tries to pay the insurance fee on y; in parallel, the 
store either requests the coverage and invokes Xh [x) (as above), 
or it performs an internal action r (e.g. wake up after a timeout). In 
the latter case, the order is declined and (in parallel) the insurance 
request is cancelled. As a result, even if either B or C remains stuck 
and culpable, A is always able to honour the contract stipulated 
with the other party. 

1.3 Contributions 

The main contribution of this paper is a type discipline for statically 
ensuring when a CO2 process is honest. The need for a static ap- 
proximation is motivated by the fact that honesty is an undecidable 
property, as shown in |2]. Our type system associates behavioural 
types (in the form of Basic Parallel Processes, BPPs |T4]) to each 
channel of a process. Checking honesty on these abstractions is 
decidable (Theorem 15. lit . We establish subject reduction (Theo- 
rem [5321 ) and progress (Theorem 15.34b . which are then used to 
prove type safety: typeable processes are honest (Theorem l5.35b . 

1.4 Paper outline 

In Sections |2] and [3] we present some background material on the 
contract model and on the calculus CO2 , respectively. In Section|4] 
we formalise a notion of honesty for CO2 processes. In Section[5] 
we introduce our type system, and we state its main properties. The 
scenario in Section [L2l is used as a working example through the 
paper. Our type system will determine that Pm and Pm above are 
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not honest, while Ph is honest. Finally, in Section|6]we draw some 
conclusions and we discuss on related work. 

2. A Theory of Contracts 

Contracts are modelled in a variant of CCS, inspired by 1.1 lil and re- 
fined in 1 2]. We assume a set of participants, ranged over A, B, . . ., 
and a set of atoms a, b, . . ., that represent the actions performed 
by participants. We use an involution a, as in CCS. We assume a 
distinguished atom e (for "end") such that e = e, which models a 
successfully terminated participant, similarly to fTHl . 

We distinguish between (unilateral) contracts c, which model 
the promised behaviour of a single participant, and bilateral con- 
tracts 7, which combine the contracts of two participants. 

Definition 2.1 (Unilateral and bilateral contracts, |2]). Unilateral 
contracts are defined by the following grammar: 

i I y ^ Si . Ci I ready a.c | rec X . c \ X 

where (i) the index set I is finite; (ii) the atoms in {a^jigx 
are pairwise distinct; {Hi) the ready prefix may appear at the 
top-level, only; (iv) recursion is guarded. We stipulate that the 
continuation of e in a contract is always E — rec X . e; X. We 
will omit trailing occurrences ofE in contracts. 

Bilateral contracts are terms of the form A says c \ B says d, 
where A 7^ B and at most one occurrence of ready is present. 

An internal sum ® jg ^ Si ', Ci requires a participant A to choose 
and perform one of the actions a^, and then to behave according to 
its continuation c,;. Dually, an external sum X^igi ^' ■ '^i requires 
A to offer B a choice among all the branches. If B chooses a^, 

then A must continue according to d. Separators _; _ and 

allow us to distinguish singleton internal sums (e.g., a ; c) from 
singleton external sums (e.g., a . c). We shall use binary operators 
to isolate a branch in a sum: e.g. (a ; c) ® c' where c' is an 
internal sum. Separators have higher precedence than © and 
e.g., a ; c b ; c' = (a ; c) © (b ; c'). 

Example 2.2. Using the syntax ofDef. 127/1 the food store contract 
introduced in Sect. \1.2] is represented as: 



c — a . ok ; pay . ship-a + b . ((ok ; pay . ship-b) ffi rio) 

The precise version of the customer contract in Sect. \1.2\ is: 

d — b; (ok. pay; ship + no) 

The behaviour of bilateral contracts is given in terms of a la- 
belled transition relation. We refer to 0] for the full technical de- 
tails (also shown in Fig. II lb . Here we just comment on the main 
rules. Rule [IntExt] regulates the interaction between a participant 
A making an internal choice, and B offering an external choice: 

A says (a ; c ffi c') | B says (a . d + d') ^ '"'^^ ^» 

A says c \ B says ready a.d 

If A chooses the branch a in her internal sum, then B is committed 
to the corresponding branch a in his external sum. This is modelled 
by marking the selected branch with ready a, and by discarding the 
other branches. Rule [Rdy] allows B to perform the marked branch: 



A says c \ B says ready a. d 



B says a 



» A says c \ B says d 



The previous rules do not define the behaviour of a bilateral 
contract in case an internal choice is not matched by any action 
in the external choice of the partner. To guarantee that a bilateral 
contract can keep evolving (until one of the participants wants 
to exit), we introduce the notion of compliance, by adapting that 
in fTTIl . This relies on the notion of ready sets. 



RS{c) = < 



Definition 2.3 (Ready sets, (3]). The ready sets of a contract c 
( denoted by RS{c) ) are defined as: 

{{ready a}}, ifc = ready a.c' 
RS{c'), ifc=recX.c' 
{{ai} I i G /}, ifc = ©igj ai ; d and 1/0 
{{ai I i G /}}, ifc = J2iei^i-<^i 
Notice that, RS{c) 7^ III for all contracts c. 

Definition 2.4 (Compliance, 0]). The relation [Xl is the largest 
relation on contracts s.t. ifc Cxl d, 

(1) MX € RS{c),y G RS{d). {a \ ae X}(^y or 

3a. ready a £ {X \jy)\{X ny) 

(2) A says c \ B says d ^ A says c' j B says d' c' cxi d' 
When c 1X1 d, we say that the contracts c and d are compliant. 

Example 2.5. The contracts c and d of our working example 
( Ex. \2.2\ are compliant. 

3. A Calculus of Contracting Processes 

The contracts of Sect. |2] are embedded in the process calculus 
CO2 1 2]. We report in this section the main concepts and defi- 
nitions. Let V and M be disjoint sets of, respectively, session vari- 
ables (ranged over by x,y, . . .) and session names (ranged over by 
s,t, . . .). Let u,v,. . . range over V U N. 

Definition 3.1 (CO2 syntax). The syntax 0/CO2 is given by: 

J:^-k,.P, I P I P I {u)P I Xiu) 

T I tellA4,uC I fuse I dou a | asku <^ 

K lu A says c \ K \ K 

S I A[P] I A[A'] I s[7] | S ] S | {u)S 

where S are systems, K are latent contracts, P are processes, and 
TT are prefixes. 

Processes specify the behaviour of participants. A process can 
be a prefix-guarded finite sum ^ parallel composition 

P \ Q, a delimited process {u)P, or a constant X{u). We write 
fo'' P and tti.Qi + P for J2ieiu{i} ^i-Qi provided that 
P — "^^i^i '"'i-Qi ™d 10 7. We omit trailing occurrences 
of 0. We stipulate that each X has a unique defining equation 
X(ui, ?ij) = P such that fv(P) C {ui,...,Uj} C V, and 
each occurrence of process identifiers in P is prefix-guarded. 

Prefixes include the silent action r, contract advertisement 
telUJ,!! c, contract stipulation fuse, action execution dou a, and 
contract query ask„ (f - In each prefix tt 7^ r, the identifier u refers 
to the target session involved in the execution of tt. As in 12[], we 
leave the syntax of unspecified. 

A latent contract A says c represents a contract c advertised 
by A but not stipulated yet. The variable x will be instantiated to 
a fresh session name upon stipulation. K simply stands for the 
parallel composition of latent contracts. 

A system is composed of participants A[P], sessions 5(7], sets 
of latent contracts advertised to A, denoted by A [A'], and delim- 
ited systems {u)S. Delimitation (u) binds session variables and 
names, both in processes and systems. Free variables and names 
are defined as usual, and they are denoted by fv(_) and fn(_). A 
system/process is closed when it has no free variables. Each par- 
ticipant may have at most one process in a system, i.e. we forbid 
systems of the form A[P] \ A[Q]. We say that a system is A-free 
when it does not contain the participant A[P], nor latent contracts 
of A, nor contracts of A stipulated in a session. Note that sessions 
cannot contain latent contracts. 
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A[{v)P] = {v)A[P] A[K] I A[K'] = A[K \ K'] 

Z \ = Z Z \ Z' = Z' \ Z {Z \ Z') \ Z" = Z \ {Z' \ Z") 
Z I {u)Z' = {u)(Z I Z') if II ^ fv(Z) U fn(Z) 
{u)(v)Z = {v){u)Z {u)Z = Z if u fv(Z) U fn(Z) 

Figure 1. Structural congruence for CO2 {Z,Z' ,Z" range over 
processes, systems, or latent contracts) 



A[t.P + P'\Q\ A[P I Q] 



A[tellB4„ c.P + P'\Q] ^-""B^"--«, 

[TELL] 

A[P I Q] I B[4.u A sai/s c] 

X 7 rancr = {s} s fresh 
A[fuse.P + P' I Q] I A[K] " ' A[P | Q]a | ^[7] 

A says a , 
7 » 7' 

A[do, a.P + P' I Q] I s[7] A[P | Q] | ^[7'] 



7h, 



A[ask« 0.P + P' \Q] I s[7] ^ A[P | Q] | ^[7] 

r, [DELl] 

(^)S (.)5' 
5 '^''^> S' n rancr crju ^ 

^ {u)S' 

S S' ranfTnfn(S") = 



s I s" s' I s"(T 

g P A[P{'-/a} I Q] I 5 g' 
A[X{vj \Q]\S 5' 



Figure 2. Reduction semantics of CO2 



The semantics of CO2 is formalised by a reduction relation on 
systems (Def. |3.2t . This relies on a structural congruence relation, 
defined in Fig. [T] In order to define honesty in Sect. |4l here we 

decorate transitions with labels, by writing ^''^> for a reduction 
where participant A fires prefix tt. Also, cr is a substitution which 
accounts for the instantiation of session variables upon a fuse. 

Definition 3.2 (CO2 semantics). The relation ^'"y between 
systems (considered up-to structural congruence =) is the smallest 
relation closed under the rules of Fig.^ The relation K [>" "f 
holds ijfii) K has the form A says c | 4.j/ B says d, (it) c ixi d, 
{Hi) 7 = A says c \ B says d, and (iv) a = {'/x.y} maps 
x,y £ V to s G A/". The substitution in rule [Del2] is defined 
as a{v)for all v ^ u, and it is undefined on u. 

Rule [Tau] is standard. Rule [Tell] advertises the latent contract 
4a; A says c to B. Rule [Fuse] stipulates contract: if the latent 
contracts of A include two compliant contracts K, a fresh session 
s is created with the stipulation 7 of K. The latent contracts K are 
consumed, and the substitution cr is applied the system to instantiate 
session variables. Note that cr is recorded in the label, so to allow 
rule [Par] to apply it to the context. Rule [Do] allows A to fire an 
action a in a session 5(7]. This is only possible if the contract 7 
admits a transition labelled A says a. After the reduction both the 



participant and the contract 7 evolve to their respective residuals. 
Rule [Ask] allows A to check if a condition (j) is satisfied by the 
contract in 3(7]. To this purpose, we use a relation h, which as 
in 1 2] is left unspecified. The language for conditions <j> and the 
relation h are parameters of the calculus. A typical instantiation is 
LTL and its entailment relation. 

Rules [DELl] and [Del2] propagate (together with [Par]) substi- 
tutions through delimitations. Rule [DelI] is applied when only one 
variable {x) is being instantiated (with s). Upon reaching the de- 
limitation, all the free occurrences of x within S' have already been 
instantiated, hence the substitution is discarded. Rule [Del2] deals 
with two cases: that where multiple variables (including it) are be- 
ing instantiated, and that where the delimited identifier u is not 
being instantiated. In the first case, the substitution is restricted to 
the variables different from u, i.e. cr^„. Notice that in this case the 
delimitation in the residual is immaterial, because u fv(S"), and 
so {u)S' = S' .In the second case both the substitution and the de- 
limitation are preserved. Rule [Par] is standard, but for the fact that 
the substitution cr has to be applied to the context S" . Rule [Def] is 
used to unfold constants. 

Example 3.3. Consider the following system: 

S = A[(x)Xix)] \ B[iy)Y{y)] | ;^[fuse] 

X{x) =^ teliK (a ; £) . do, a Y{y) ^ telk ^j; (a.E). doy a 

A possible execution of S is the following: 

(1) 

iy){B[doya] I K[i,, B says a.E]) 

(2:)(A[do,a] I (2) 
(j/)(B[do^a] I K[fuse] | K[K])) 

where K — A says a ; E \ -ly B says a . E 

^i^^ (s)(A[do,a] I (y)(B[do,a] I (3) 

K[0] I s[7])) 

where 7 = A says a ; £ | B says a . E 

= (s)(A[do.a] I B[do,a] I s[7]) 



S '^""^^"'■') A[ix)X{x)] I K[fuse] | 



A : teliK Us.ll 



A : dos a,0 



(s)(A[0] I B[do,a] |.,[7']) 



(4) 



where 7' = A says E \ B says ready a . E 

Transitions (|TJ and ^ above are obtained by applying rules [Tell], 
[Par], and [Dee]. The derivation of transition ([3} is obtained as 
follows. First, by rule [Fuse] we have: 

K[fuse] I K[K] ^ ■ ^--°'<°/-'^>) K[0] | ^[7] 
Hence, by rules [Par] and [Del2], we have 

(y)(B[do,a] I K[fuse] ] K[K])) ^ ^ '""■^°^^''> 
(y)(B[do,a] |K[0] |s[7]) 
By applying rules [Par] and [DelI] to the above, we obtain ([3}. 

m r I r T ^ says a / 

Finally, transition 14]( is obtained by rule [Do], since 7 »■ 7 . 

4. On Honesty 

We now define when a participant is honest. Intuitively, honest par- 
ticipants always respect the contracts they advertise. As remarked 
in Sect.[T] this notion is crucial in contract-oriented systems, since 
honest participants will never be liable in case of misbehaviours. 
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More precisely, a participant A is honest when she realizes every 
contract she advertises, in every session she may be engaged in. 
Thus, if a system S contains a session s with a contract c advertised 
by A, such as: 

A[P] I s[A says c \ ■ ■ ■] \ ■■■ 

then A must realize c, even in a system populated by adversaries 
which play to cheat her. To realize c, A must be "ready" to behave 
according to c. 

Example 4.1. If A[P] has advertised a contract c with an internal 
choice Ci = a © b, then P must be ready to do at least one of the 
actions a, b. Instead, ifc is an external choice Ce = a + b, then P 
must be ready to do both the actions a and b. 

Realizability requires the above readiness property to be pre- 
served by arbitrary transitions taken by 5*. This amounts to say that, 
in any reduct of S containing a reduct P' of P and a reduct c of c, 
the process P' must still be ready for c'. 

To formalise the notion of "P is ready for c", we need to inspect 
P and c. At the contract level, the ready sets in RS{c) (Def. 12. 3t 
reveal whether c is exposing an internal or an external choice. At 
the process level, we consider the reachable actions in P. 

Example 4.2 (Processes and readiness). Consider the following 
processes: 

Po = dos a Pi ~ dos a + do^ b + dos z 

P2 = T.dos a + r.doj, h P3 — dot w.dos a + dot z.dos b 

We now study whether Po, . ■ . , P3 are ready for contracts Ci and 
Ce ( introduced in Ex. \4.Ii in session s. According to Def. 12.31 the 
ready sets of Ci are {a} and {b}, while Ce has only the ready set 
{a, b}. We have that: 

• Po is ready for Ci, because there exists a ready set f{a}j in 
RS{ci) such that doa a is enabled in Pq. Instead, Po is not 
ready for Ce, because the ready set {a, b} o/Ce also contains 
b, which is not enabled in Pq. 

• Pi is ready for both d andc^. This is because Pi enables two 
actions, dos a and dos b, which cover all the ready sets of Ci 
and Ce. Notice that the branch dOs z is immaterial, because 
rule [Do] blocks any action not expected by the contract. 

• P2 is ready for Ci, because whatever branch is taken by P2, it 
leads to an unguarded action which covers one of the ready 
sets in a. Instead, P2 is not ready for Ce, because after one of 
the two branches is chosen, one of the two actions expected 
by Ce is no longer available. 

• The case of P3 is a bit more complex than the above ones. 
Readiness w.r.t. Ci depends on the context. If the context 
eventually enables one of the dot, then either dOs a or dOs b 
will be enabled, hence P3 is ready for Ci. Otherwise, P3 is 
stuck, hence it is not ready for Ci. Notice that P3 is not ready 
for Ce, regardless of the context. 

To formalise readiness, we start by defining the set RD^ (S) (for 
"Ready Do"), which collects all the atoms with an unguarded action 
dou of a participant A in a system S. 

Definition 4.3 (Ready do). For all S, A and u, we define the set of 
atoms RD^ (S) as: 

RDt{S) = {a I 3v,P,P',Q,S'. 

S = {v) (A[do„ a.P + P' \ Q] \ S') A u 1^ v} 

Example 4.4. Consider the following system: 

S — A[dOj: a . doy b + r . doy a . do^ c | (a;) dox h] 

We have that RD^{S) = {a}, andRD^{S) = 0. 



As seen in the above example for processes P2 and P3, readi- 
ness may also hold when the actions expected in the contract ready 
sets are not immediately available in the process. To check if A[P] 
is ready for session s (in a system S), we need to consider all the 
actions which (1) are exposed in P after some steps, taken by P it- 
self or by the context, and (2) are not preceded by other dOs actions 
performed by A. These actions are collected in the set WRDs{S). 

Definition 4.5 (Weak ready do). We write S ''°"'> S' if 

3B, TT, a. S S' A (B / A V Va. TT / do„ a) 

We then define the set of atoms WRD^{S) as: 

WRDtiS) = {a I 35' : S s' and a e RDt {S')} 

Example 4.6. Recall the system S from Ex. \4.4\ We have that: 

WRD^xiS) = {a} =AO^(S) 

WRD^(S) = {a,b} D RD'^{S) 

The action a is weakly reachable through its r prefix. The action b 
is weakly reachable as well, through the action dox a on channel 
X. Instead, c is not weakly reachable, because it is preceded by 
another do on the same channel. 

Example 4.7. Recall the process P3 = dot w . dOs a + dot z . dOs b 
from Ex. \4.2\ Consider the following system, where participant A is 
involved in two sessions s and t (respectively, with B and C): 

S' = A[P3] I B[r . dOs a . dOs b] | C[dot w + dot z + r] 

s[A says a + b | B says a © b] 
t[A says w + z | C says w © z] 

In session t, A is immediately ready to perform either w or z, and 
thus her ready do set coincides with her weak ready do set in t. The 
same holds for C, with the dual atoms w and z). Thus: 

WRDfiS) = RD^iS) = {w,z} 

WRD^iS) = RD^iS) = {w,z} 

In session s, the ready do sets of both A and B are empty, because 
their actions are not immediately enabled. Before they can be 
reached, the whole system S must first reduce, either with the 
contribution of C on session t ( in the case of A ), or through a t 
action (in the case ofB). These reductions fall within the definition 
of their weak ready do sets, which are accordingly non-empty. 

WRD^,{S) = {a} 3 RD'tiS) 
WRD'^(S) = {a,b} D RD^(S) 

Notice that b ^ WRD^{S): in fact, h is only reachable after B 
executes dOs a, thus requiring a reduction trace which does not 

have the form S > . Finally, we emphasize that, if C 

chooses to perform t, then the actions in WRD'^{S) would not be 
reached. Indeed, Def. \4.5\ onlv requires that each element in the set 
becomes reachable at the end of a suitable (weak) reduction trace 
— but it does not prevent S from reducing along other paths. 

A participant A is ready in a system 5* containing a session 
s[A says c \ • • •] iff A is (weakly) ready to do all the actions 
in some ready set of c. Notice that A is vacuously ready in systems 
not containing sessions with contracts stipulated by A. 

Definition 4.8 (Readiness). We say that A is ready in S iff, when- 
ever S = {u)S' for some u and S' — s[l\ says c | ■ ■ ■] | So, 

3X G RS{c) . Va . (a G A- V ready a£X =^ a G WRO'^iS')) 
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A process A[P] is said to be honest when, for all contexts 
where A[P] may be engaged in, A is persistently ready in all the 
reducts of that context. Notice that A[P] is vacuously honest when 
P advertises no contracts. 

Informally, we shall say that A realizes a contract c in a session 
s in S when 5* has the form A[P] | s[A says c | ■ ■ ■] | • • • , and 
the readiness condition is satisfied in s and in all its reducts. Then, 
A[P] is honest when A realizes all the contracts she advertises. 

Definition 4.9 (Honesty). We say A[P] honest iff for all A-free S, 
and for all S' such that A[P] \ S ->* S' , A is ready in S' . 



The A-freeness requirement in Def. l4.9l is used just to rule out 
those systems which already carry stipulated or latent contracts of 
A outside A[P], e.g. A[P] | B[lx A says pay | • ■ ■]. In the absence 
of A-freeness, the system could trivially make A[P] dishonest. 

Example 4.10. Consider the following system: 

S = A[{x,y) {Pa \ fuse ] fuse)] | B[Ps] | C[Pc] 

Pa = telU {ix a -E) . telU {iy b ; £) . do^ a . doy h 

Pb = (z) (telU b . £) . do, b) 

Pc = (w) (telU (U a ; £) . 0) 

Even though A might apparently look honest, she is not. In fact, if 
we reduce S by performing all the tell and fuse actions, we obtain: 

S' = (s, t) ( A[dot a . dos b] I B[do, b] | C[0] | 
t[A says a . £ | C says a; E] \ 
s[A says b ; £ | B says b . £] ) 

Here, S' cannot reduce further. Indeed, C f dishonestly ) avoids to 
perform the internal choice required by his contract. Then, A is 
stuck, waiting for a from C. Therefore, A is dishonest, because she 
does not perform the promised action b. Formally, the dishonesty of 
A follows because RS{b ; E) = {{b}}, but b ^ WRD'i{S'). Thus, 
A is not ready in S', hence not honest in S. 

Our definition of honesty subsumes a fair scheduler, which 
eventually allows participants to fire persistently (weakly) enabled 
do actions. This is illustrated by the following two examples. 

Example 4.11. Consider the contract c = a ® b, and let: 

P = (x)(tellA4.:. c.fuse.X(x)) 

X(x) = T.X{x) + r . doa; a + r . do^; b 

Let S — A[P] j So, and assume that the fuse in P passes. Then, S 
reduces to S' = (s)(A[X(s)] | s[A says c | • • •] | 5*0). Under an 
unfair scheduler, A could always take the first branch in X, while 
neglecting the others. Intuitively, this would make A not respect 
her contract, which expects a or b. However, a fair scheduler will 
eventually choose one of the other branches. Technically, the fair 
scheduler is rendered within Def. \4.5\ and \4.9\ Def. \4.5\ considers 
a and b weakly enabled in S', because there exists a way to 
reach each of them. Since from any reduct of S' either a or b are 
reachable, then Def. \4. 91 considers A[P] honest. 

Example 4.12. Consider the contract c = a + b and let: 

P (x)(tellAi^ c.fuse.X(T)) 

X(x) = T.X{x) + T.{T.X{x)+dOxa) 
+ T . (r . X{x) + dO:, b) 

Let S = A[P] 1 So. After the fuse, the system S reduces to 
S' = (s){A[X{s)] I s[A says c \ ■ ■ ■] \ Sq). As in the previous 
example, an unfair scheduler might make A not respect her con- 
tract. However, in all the reducts of S' both a and b are reachable. 



a.T 



T ^ > T' 

[E-SumJ 

rj-i rj-ill y rj-\f 

T{recX.TIx} ^ T' 



T\T" ^T' \ T" recX.T ^T' 

rec X .T = r{'"'='= ^■'^/x} commutative monoidal laws for |, + 

Figure 3. Channel type semantics. 

Indeed, there is no branch which definitely commits to one of the 
two actions. Therefore, according to Def. \4.9\ A[P] is honest. 

5. A Type System for CO2 

We now introduce a type system for CO2. The main result is 
type safety (established in Th l5.35t . which guarantees that typeable 
participants are honest. 

The type of a process Pisa function /, which maps each chan- 
nel (either session name or variable) to a channel type. Channel 
types are behavioural types which essentially preserve the structure 
of P (branching, parallel composition, recursion), while abstracting 
the actual prefixes and delimitations. Mainly, the prefixes of chan- 
nel types distinguish between nonblocking and possibly blocking 
actions. 

In Sect. l5.1l we define channel types; then, in Sect. l5.2l we define 
process types and the type system for processes. In Sect. 15.31 we 
present an auxiliary set of typing rules for CO2 systems, which are 
only needed to state subject reduction and progress in Sect. 15.41 
Type safety is established in Sect. l5.5l 

5.1 Channel types 

Channel types extend Basic Parallel Processes (BPPs fl^) by al- 
lowing prefixes of the following kinds: atoms (a, b, . . .), nonblock- 
ing silent actions (r), possibly blocking silent actions (r?), condi- 
tional silent actions depending on observables (r^), and contract 
advertisement actions ((c)). 

Definition 5.1 (Channel types). The syntax of channel types T and 
prefixes a is defined as follows: 

T I a.T I T + T I T I T I rec X .T \ X 

a a I r I rv I I (c) 

We denote with T the set of all channel types. 

The semantics of channel types is given in Def. |5.2| in terms of 
a labelled transition relation 

Definition 5.2 (Channel type semantics). The relation is the 
least relation closed under the rules of Fig.\3\ 

The rules for are the standard ones for BPPs. Hereafter, we 
shall identify structurally congruent channel types. 

Example 5.3. Consider the following CO2 process: 

P = telle 4-:i: Ci I (telle iy d . do^: a) 

where Ci = a ® b, and d is immaterial. We anticipate that the 
channel types associated by our type system to P on channels x 
and y are, respectively: 



Tx = (ci) I r . 



Note that the advertisement of i^ Ci is recorded in Tx, while that of 
iy d is abstracted there as a r. Instead, the r? in Ty represents 
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(c,T) ^ (cu{c},r') 

cec 



{c,T)^{c,T') 



{C,T)^{c,T) 



T T' T —¥ T" => T' T T" => T' 



T^r Q£{T,r?,r^} 
{C,T)^iC,T') 

T-^T' Q£{r,r?,r^} 

(c,r)^(c,r') 



3 / rp a rpl 



ic,T)-^{c',T') 



{c,T) ~> (c' ,T) 



Figure 4. Abstract processes semantics. 



the fact that the Ao^ a may potentially block the actions in its 
continuation. The channel type Tx can reduce in several ways, e.g.: 



Tx 
Tx 



T . a 

(ci) I a 



a 



{C^) 



(5) 
(6) 



The execution of CO2 systems relies both on processes and on 
(advertised/stipulated) contracts. An abstraction of the latter is then 
used to define an abstract semantics of processes. 

Deflnition 5.4 (Abstract processes). An abstract process is either 
a pair (C, T) or a pair (c, T), where C is a set of contracts, c is a 
contract, and T is a channel type. 

Deflnition 5.5 (Abstract process semantics). The semantics of ab- 
stract processes is given in terms of a transition relation — which 
is the least relation closed under the rules ofFig.^ 

An abstract process (C, T) represents a process abstracted by T 
on some channel x, after the contracts in C have been advertised. 
Instead, an abstract process (c, T) represents a process abstracted 
by T on some channel x, after the contract c has been stipulated. 

The set C grows when a channel type T in (C, T) performs a 
transition with label (c) (rule [A-TellI]). After one of the contracts 
in C has been stipulated (rule [A-Fuse]), it can be reduced through 
the rules [A-Do] and [A-Ctx]. Rule [A-Do] models a do a action per- 
formed by T, while rule [A-Ctx] models an (unknown) action per- 
formed by the context. Further advertisements are neglected (rule 
A-TELL2). Notice that in rules [A-Do] and [A-Ctx] contracts are re- 
duced through the relation — »tj. This relation abstracts the contract 
semantics — », by considering only the contract advertised by P (in- 
stead of the whole bilateral contract). The actions performed by the 
context are labelled with ctx. We leave the relation — »tt unspecified 
(see 1 2] for a possible instantiation), and we just require that — is 
decidable, and for all 7 = A says c | B says d such that c ixi d, 



7 



A says a 'id j' 

» A says c \ b says a 

B says b 



-» A says c \ B says d' 



ctx f 
C »» C 



Example 5.6. Recall the trace lO in Ex. 15. Jl That induces the 
following two traces for the abstract process {fl),Tx). Belows, we 



Figure 5. Channel type semantics (weak transition, parameterised 
by A and c). 



annotate arrows with rule names from Fig.^ 

{%,Tx) > ({c,},r.a) > (c„r.a) 

lA-TELLll " J [A-FUSEI 

> (c„a) V (£,0) 

IA-TAU21 [A-Do] 



(0, Tx) > ({c,}, r . a) > ({c.}, a) 

[A-TELLll ^ >- [A-TAUll 

y (c,,a) y {E,0) 

[A-FusE] [A-Dol 

Instead, we are not able to follow trace since: 
(0,r,) , (0, (c,) I a) 

[A-TauII [A-Dol 

Intuitively, in {SJ the action a is performed before the contract Ci is 
advertised — but this is not possible because of rule [A-Do]. 

We now introduce the abstract counterpart of the dynamic no- 
tion of honesty in Sect. |4l We shall follow the path outlined for 
concrete processes: first we define when a channel type T is "ready 
for a contract", and then when T is honest. 

In the case of concrete processes, readiness requires to match 
the "weak ready do" set of the process against the ready sets of 
the contract (Def. 14. 8t . Similarly, here we shall match the "weak 
transitions" of a channel type with the ready sets of the contract. 

Indeed, such weak transitions abstract the weak ready do set. 
That is, if an abstract process can take a weak transition a, then also 
the concrete one will do that. This under-approximation is needed 
to ensure the correctness of abstract honesty: if an abstract process 
is honest, then also the concrete one will be such (while the vice 
versa is not always true). 

Recall that the actions a in the weak ready do set (of session s) 
are those to be fired in a dos a by the concrete process. Their 
abstract counterpart, i.e. labels of weak transitions, consider actions 
reachable through sequences of non-blocking (abstract) transitions, 
which are included in the ready do set. Unlike in the concrete case, 
the context is immaterial in determining weak transitions. 

Weak transitions are defined in Fig.|5]as a labelled relation =^c 
(simply written as when unambiguous). The first two rules are 
standard: they just collapse the r actions as usual. The third rule 
also collapses contract advertisement actions, which are nonblock- 
ing as well. Possibly blocking actions r? are not collapsed, while 

are dealt with the last rule. The action is the abstraction of 
the CO2 prefix asku (jj. Such action is collapsed only if such ask 
is non-blocking. The relation safely (under-) approximates this 
condition. We leave unspecified (just like h in Sect.[3](, and we 
only require that it respects the constraint in Def. l5.7l below. 

Deflnition 5.7 (Abstract observability). We write c h J for any 
decidable relation between contracts and observables satisfying: 

c\-'^ (j) VB . Vd . (c CXI d A says c j B says dh (j>) 



The definition of abstract readiness (Def. |5.8t follows along the 
lines of Def. m 
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Definition 5.8 (Abstract readiness). For a channel type T and a 
contract c, we say that T is abstractly ready for c iff: 

3X e RS{c) . Va / e . (a G A" V ready a eX ^ T ^) 

Hereafter, when referring to properties of abstract entities, we 
shall omit the qualifier "abstractly", e.g. we shall write that a 
channel type is "ready", instead of "abstractly ready". 

Honesty of abstract processes is defined similarly to Def. 14.91 
In order to be honest, a process must keep itself (abstractly) ready 
upon transitions. Readiness must be checked against all the con- 
tracts that may be stipulated along the reductions of the abstract 
process, starting from the empty set of contracts. 

Definition 5.9 (Abstract honesty). We say that: 

• An abstract process ( — , T) is honest iff 

\/c,T' . (-,r) ^* (c,r') ^ T' is ready fore 

• A channel type T is honest iff {9, T) is honest. 

Informally, we say that T realizes c whenever (c, T) is honest. 

Example 5.10. Recall the type To: ~ {ci) \ t . a, and the contract 
Ci = a b from Ex. 15.61 To determine whether Tx is honest, we 
examine all the redacts of the abstract process (0, T^) to check for 
readiness. We have the following cases: 

1. {9,Tj:). Nothing to check, because no contracts have been 
advertised yet. 

2. (0, (ci) \ a). Similar to the previous case. 

3. ({ci}, T . a). Nothing to check, because no contracts have been 
stipulated yet. 

4. ({ci}, a). Similar to the previous case. 

5. {ci,T . a). We have that r . a is ready for d, because for 
{a\ G RS{ci) — {{a'}, {b}}, we have t . a =>. 

6. (ci, a). We have that a is ready for d, similarly to the previous 
case. 

7. {E, 0). We have that is vacuously ready for E. 

Summing up, we conclude that Tx is honest. 

Th IS.lll below establishes that checking the honesty of a chan- 
nel type T is decidable. Indeed, both abstract readiness and abstract 
dishonesty are reachability properties. Abstract processes are the 
product of a finite state system (C and c only admit finitely many 
states), and a Basic Parallel Process. This product can be modelled 
as a Petri net. Decidability follows because reachability is decid- 
able for Petri nets 1 16]. 

Theorem 5.11. Abstract honesty is decidable. 
5.2 Process types 

Process types associate session names/variables to channel types, 
thus abstracting the behaviour of a process on all channels. Addi- 
tionally, we consider a special "dummy" channel * A/'U V, where 
we collect type information about unused channels. 

Definition 5.12 (Process type). A CO2 process type is a function 
/: A/'UVU{*} ^r. 

Intuitively, our type system abstracts concrete prefixes of CO2 
processes as actions of channel types. Such abstraction is rendered 
as the mapping in Def. 15.131 We observe the behaviour of a process 
P on each channel, say u. When P performs an action on one of 
its channels, say v, then: 

• if I) 7^ M, we will only observe a silent action, either non- 
blocking (r) or blocking (r?), depending on the concrete pre- 
fix fired. 

• if V = u, we. may observe more information, depending on 
the concrete prefix fired. 



r h : ,A Vi G J 



r^P-.f rhQ:g 

[T-Par] 

Th P\Q: \u.f{u)\g{u) 
X{u)"P r{//x{S)}hP{"M: / 

[T-Def] 

V^X{v): f 
r{X(v))^f T^u^P.f /(u) honest 

[T-VarI [T-Del] 



T^X{v): f 

where r^ir(y(TO)) = 



rh(n)P :/{/{*)/„} 

jr{Y(w)) ifwnv = 

1 undefined otherwise 



Figure 6. Typing rules for processes. 



For instance, if P advertises a contract c with a tell 4,1, c, then the 
action (c) will be visible ifv — u, while we shall just observe a r if 
V ^ u. Similarly, if P performs doi, a we shall observe the action 
a if V — u and r? if i; 7^ u. Finally, if P executes a query ask^ (j) 
we shall observe the conditional silent action if u = v and r? 
otherwise. This allows for exploiting suitable static approximations 
of the relation h (see e.g. Fig.|5}. 

Definition 5.13 (Prefix abstraction). For all u £ Af UV U {*}, we 
define the mapping [-jy^ from CO2 prefixes to channel type prefixes 
as follows: 

[t]u = T [tellAj,^ c]u = if V — u then (c) elser 

[fuse]ti = r? [doi, a]u = if v — u then a elser? 

[asky (l>]u = if V = u then else r? 

The typing judgments for processes have the form F h P : /, 
where F is a typing environment, giving types to processes X{v). 

Definition 5.14 (Typing environment). A typing environment F is 
a partial function which associates process types to pairs (X, v) — 
where X is a CO2 process identifier, and v is a n-uple of session 
variables/names. We will often write V{X(v)) instead ofT{X, v). 

We can now introduce the typing rules for CO2 processes. 

Definition 5.15 (Typing rules for processes). The typing rules for 
processes are shown in Fig. |6] 

Rule [T-SuM] abstracts the prefixes which guard the branches of 
a summation, according to Def. 15.131 The resulting process type 
is expressed through the usual A-notation. The type of a parallel 
composition is the pointwise parallel composition of the compo- 
nent types (rule [T-Par]). Rules [T-Def] and [T-Var] are mostly stan- 
dard. Rule [T-Var] retrieves the type of a process variable from the 
typing environment, which is populated by rule [T-Def]. The rule 
for typing delimitations ([T-Del]) is worth some extra comments. 
Assume that P is typed with /. Since u in not free (u)P, the ac- 
tions on channel u must not be observable in the typing of (u)P. To 
do that, in the typing of {u)P we discard the information on u, by 
replacing it with the typing information on the "dummy" channel *. 
However, since this might hide a dishonest behaviour on channel u, 
the rule also requires to check that /(it) is honest. Moreover, if the 
environment F has typing information on channel it, this cannot be 
used while typing P. The typing environment F^u, which discards 
the information on it, is used to this purpose. 
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Example 5.16. Recall the process P2 = t . do^ a + t . do^ hfrom 
Ex. \4.2\ Its typing derivation is obtained by [T-Sum] as follows: 



B / A 



h dos a : Xu . [dos a]„ = /i K dos b : Au . [dos b],, = /2 
h P2 : / = Aw . [rU ■ Mu) + [r]„ . f2{u) 

We have /(s) = r . a + r . b, and for all u ^ s, f{u) — /(*) = 
T . T7 + T . T7. In other words, the process type f performs some 
visible actions when "observed" from channel s, while remaining 
"silent" on other channels. If we slightly change the process, and 
consider instead P2 ~ t . do^ a + r . doj b, we have: 



h dOs a : Alt . [do^ a]u ~ fi \~ dot h: Xu . [dot b]u = /2 
hP^: f = Xu.[T]u.fi{u) + [T]u.fiiu) 

and thus: 

f'{s)=T.a + T.T? f'{t) = T.T-! + r.b 

V-U ^ {S, t} . f'{u) = /'(*) =T.T7+T. T; 

Types are preserved by structural equivalence of processes. 

Lemma 5.17. P = P' A T h P : / =^ T h P' ; / 

Observe that the type system assigns the same type (up-to struc- 
tural congruence) to all non-free session names/variables, including 
*, and that such type may only contain actions r and rv. 

Lemma 5.18. z fnv(P) A T h P: / ^ f{z) = /(*) 

Definition 5.19. We define a partial order C on process types as: 

f^f ^ VwGAAuVU{*}./(u) = /'(w) V /(w) = /'(*) 

Delimitation makes types smaller w.r.t. C. 

Lemma 5.20. h (u)P: f A h P: f ^ / C /' 

A process type / takes a transition on a CO2 prefix n when all 
its points f{u) agree to take a transition on the abstract prefix [n]u. 

Definition 5.21 (Process type reduction). We write f /' 
whenever '^u £ TVU V U {*} . f{u) > f (u). 

Example 5.22. Recall the process Pi = dOs a+dos b+dos zfrom 
Ex.\4.2\ Its typing is h Pi : f = Xu. [dOs a]u + [dOs h]u + [dOs z]u. 

Let /' — Xu . 0. We have that f — °° " > /', since: 

• [dOs a]s = a and f{s) = a + b + z^O = /'(s); 

• Vu 7^ s . [doa a]„ = r? and f{v) — rv + r? + r? — H> — 
/'(«)• 

Note that, in this case, we also have f ^ > /' and f ^ > /'. 

If / is the type associated to some process, and f{u) takes an 
abstract transition, then the whole / can take a transition, and the 
labels on the transitions agree. 

Lemma 5.23 (Channel type and process type reductions). For all 

inhabited types f, and for all u E L) V, 

f{u)-^T' ^ 37r,/'.H„ = a A/'(«)=r' A/-^/' 

We extend to process types the notion of honesty of Def. |5.9l 

Definition 5.24 (Process type honesty). We say that f is honest iff 
f{u) is honest, for all u £ Af UV U {*}. 

Note that, when \- P: f, checking the honesty of / amounts 
to checking f{u) honest, for all u G fnv(P). Actually, by 
Lemma [5.181 f{u) = /(*) on the other channels, and /(*) is 
trivially honest because it cannot advertise contracts. 



I> / 
B / A 



Ka C[lx B says c] > f 



\-A B[ls A says c] [> / 
f{x) realizes c 

'■ [T-Sl 

Ka B[lx A says c] r> f 

h;,B[K]t>f hAB[K']t>f 
hA B[K \K']\>f 

f{s) realizes c 



^A B[P] D> / 

7 A-free 

fT-SAFREE2] [T-SAFREE3] 

hA s[-y] > f 

[T-SFrozenS] 



|-A s[A says c \ ■■■]>/ 



9hP:f 
hA A[P] : / 



hA S > f{f(*yn} hA 5 : / f{u) honest 

[T-SDelII 



hA iu)S>f 



hA {u)S: /{/(*)/.} 



hASt>f hAS'o/ hA5:/ hA5'l>/ 

[T-SParI] [T-SPAR21 



hA 5 I S' > / 



hA S I S' : / 



Lemma 5.25. / honest f\ f' Q f 



/' honest 



Figure 7. Typing rules for systems. The symmetric rules wrt to 
for [T-SFusED] and [T-SPar2] are omitted. 



5.3 System typing 

The type system for processes is enough to guarantee whether a 
participant is honest. However, in order to establish a type safety re- 
sult we have to consider the transitions of a process within a system. 
Hence, in order to construct an invariant of the system transitions 
(i.e., subject reduction), we extend typing also to systems. 

Type judgments for systems are of two kinds. A judgment of 
the form \-a S: f guarantees that a participant A in 5 behaves 
according to /. Instead, a judgment of the form hA S l> / means 
that A is not in S, and S is guaranteed to be compatible with a 
participant A which behaves as /. Our notion of compatibility is 
quite liberal: intuitively, it just checks that the context S has not 
forged contracts of A. 

Definition 5.26 (System typing). The relations hA S: f and 
\-A S t> f are the smallest relations closed under the rules in Fig.^ 

Most rules in Fig. |7] are straightforward: for instance, rules 
[T-SAFree*] tell that A-free systems are compatible with all /. Rules 
[T-SFrozen*] state that an /-compatible context (where / is the 
behaviour of A) may contain latent contracts of A if / realizes such 
contracts. 

Rule [T-SFusED] is similar, except that it deals with stipulated 
contracts of A. Rule [T-SDel2] is similar to rule [T-Del] for typing 
processes. Rule [T-SDel1] is dual, reflecting the fact that the type 
/ in [T-SDEL2] abstracts the behaviour of A within S, while in [T- 
SDelI] it represents the behaviour of A outside S. 

Structural equivalence preserves system typing. 

Lemma 5.27. Whenever S = S'.- 
hA 5: / ^ hft 5' : / h;,St> f ^^aS' > f 
The following is the system typing counterpart of Lemma [5.20l 

Lemma 5.28. hA iu)S: / A hA S: /' =^ / C /' 
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/ ifyuoeu.fiuo)^f{*) 

/ . a = <( /{/(*)Ao}{«"«)A} if J\uo G u . f{uo) / /(*) 
undefined otherwise 



Theorem 5.32 (Subject reduction). If \-a S: f with f honest then: 



(r.^Ao})(FW) = 



{v(Y{w{^o/v})) • {V^'o} if uo w 



1 undefined 



otherwise 



Figure 8. Type substitutions. 



If a participant A[P] is typeable, then it can be inserted in any 
A-free system, and the composed system will remain typeable. 

Example 5.29. Consider a participant A[P] such that \- P: f, 
and let So = B[Q] \ C[lx B says c], with B / A. Notice that Sq 
is iK-free. The typing derivation of S — A[P] | So is: 



B / A 



B 7^ A 



hP: / 



Ka B[Q] > / Ka C[4,^ B says c]r> f 

Ka A[P] : / Ka B[Q] I C[4,. B says c] =SoOf 
hA S = A[P] \So: f 

Example 5.30. Consider now a non-A-free system So, e.g. let 
So = B[Q] I A says c], with B ^ A. The typing derivation 

ofS = A[P] 1 So is as follows: 



f{x) realizes c 



hP:f 



hAB[Q]>/ hf,C[U A says c]r> f 

Ka A[P] : / Ka B[Q] I C[4,. A says c] =SoC>f 
hA S = A[P] I So : f 

Notice that S is typeable with f only if f(x) realizes A's contract. 
5.4 Subject reduction and progress 

To establish subject reduction, we need to cope with the fact that the 
evaluation of a fuse prefix substitutes session names for variables. 
This substitution also affects the type of the reduct process. For 
instance, consider the system A[P] | S, where h P : / and f[x) — 
T. Assume that now the context S fires a fuse, which substitutes 
a fresh session name s for x. The typing of the reduct system will 
accommodate this by mapping s to T, while x is mapped to /(*), 
because x is no longer free after the substitution. 

Technically, this type substitution is obtained through the oper- 
ator • , introduced in the following definition. 

Definition 5.31 (Type substitutions). For a mapping a of the form 
{"/a} we define the substitutions f • a on types and T • o on type 
environments as in Fig. \E[ 

The type ofY(w) in F • ct is obtained by applying cr to the type 
in r of the invocation where 

When querying a typing environments on which a substitution 
is applied, we use the reverse substitution to retrieve the original en- 
try, as recorded by [T-Def]; then, we actually apply the substitution 
to the retrieved type. Note that we do not allow replaced variables 
to appear in the query. 

Subject reduction guarantees that typeability is preserved by 
transitions. We need to distinguish between two cases, according to 
which participant moves: either the participant A under typing, or 
any other participant B. If the transition is done by A, then also its 
process type must take a transition, otherwise the type is preserved 
as is. In both cases, the substitution a is applied to the type, to deal 
with possible variable fusions. 



S^^S' 



s 



%s' 



.f^f A h^S':f'»a (7) 
hAS':/.(j (B/A) (8) 



Progress guarantees that if a typeable process has a "non- 
blocking" type, then it can take a transition. More precisely, if the 
type of P on channel u can take a weak transition with label a, then 
P will have a in its weak ready do set (Th. l5.34t . To prove that, we 
first establish a progress result for systems. We write S when 
S = s[7] I S" and "/ \- ((>, for some S" and 7. 

Lemma 5.33 (System progress). For all systems S, if \-a S: f 
with f honest, and f /', then: 

(a) if TV = T, or TV = tells c, or n = asks and S hs <j}, 

3S' .S^^S' A KaS': /' 

(b) if TV = dou a, then a G RD^,(S). 

Tlieorem 5.34 (Progress). For all S = s[A says c | • ■ • ] | S', ;/ 

l-A S: / with f honest, and f{s) then a G WRD'^{S). 



To prove Th [534l we iterate Lemma [5.33l for all the ^--transitions 
of which is composed, until firing the action a. In case of — !•- 
transitions labelled r^, we use the assumption that the relation 
satisfies the correctness condition in Def.l5.7l 



5.5 Type safety 

The main result of this paper is the type safety of CO2 processes 
(Th. I5.35t . They ensure that a participant A with a well-typed 
process P will always respect her contracts (both those already 
advertised, and those that she will publish along her reductions) 
— and thus, A will never be considered culpable in any context. 

Tlieorem 5.35 (Type safety on processes). For all participants 
A[P] with P closed, if \- P: f then A[P] is honest. 

We now check the type safety of the food store example in 
Sect. II. 21 we analyse the malicious implementation (Ex. l5.36l >. the 
non-malicious one (Ex. l5.37t . and finally the honest one (Ex. 15. 38l l. 

Example 5.36. In Fig. [9] we give the (tentative) typing of the 
malicious food store process Pm with 

fpM i^) = (c) • (a • fxM (2:) + b . fxM {x)) 



where fxj,, i^) = ok • pay . r^f^, . ship-a 

The typing of Pm fails because [T-Del] requires fpj^j{x) to be 
honest, which is not the case. In fact, if the customer selects h, 
fpj^^ (x) takes the following transitions: 

fKi (x) a • fxM (a;) + b . fxM (x) A /x„ (x) 



pay • ■ ship-a 

D^? —7—. ship-a 

> ship-a — ~ — )■ 
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h doa; ship-a : Xu . [dox ship-a]t, = fj^ 



[T-SUM] 



h aska; ship-a? . dox ship-a : An . [aska; ship-a?]u . /j^ (u) = 



h doa; pay . aska; ship-a? . doa; ship-a : Xu . [do^ pay]„ . fj. (u) = fj. 



[T-SUM] 
[T-SUM] 



^ h Pxm = doa: ok . doa, pay . aska: ship-a? . doa; ship-a : Am . [doa; ok]u . fj. (u) = fx^ 



[T-SUM] 



Xm{x) =^ Px^ 



hXM(x): fx 



Dx,, Xm{x) =^ Fx, 
[T-Def] 



D 



h Xm{x). fxn 



[T-DEF] 



[T-SUM] 

[T-SuM] 



h dOa: a . Xmix) -|- dOa: b . Xm{x) : Xu . [dOa; a]^ . fx^i^) + b]u ■ fxMi"^) = /pjj 

h tellK^a: c . (doa; a . XMix) + doxb. Xm{x)) : Xu . [tellKj^a; c].u . /^^^C") = fp^^^ 

Y- {x) (teilK 4.:. c . (doa, a . Xm{x) + doxb. Xm{x))) = Pm ■ Jm = fl^,, {Sh, 



[T-Del] 



Figure 9. Tentative typing derivation for tire malicious food store. Pxm is the body of Xm{x) in Sect. |1.2| and its typing derivation Dxj 
is used in the (tentative) typing derivation of Pm. 



Correspondingly, the abstract process fp^^{x)) can take the 
following transitions: 

(0, (x)) ^ ({c}, a . fx,, ix) + h. fx,, (x)) 

> (c, a . fxM {x) + b. fx,, (x)) 

fA-FUSEl 

> (ready b. (ok; pay.ship-b no), 

3-fx„{x) + b.fx„ix)) 

— )> (ok; pay.ship-b ® no, fx„{x)) 

— (ok; pay.ship-b ffi no, ok. pay. r^;^., .ship-a) 

(pay . ship-b, pay . r^^, . ship-a) 
> [ready pay . ship-b, pay . r^j^., . ship-a) 

^ (ship-b, r^., . ship-a) 
— ^ (ship-b, ship-a) 

Notice that, in the last step, we have that ship-a is not ready for 
ship-b, hence A[Pm] is not honest. 

We consider now the non-malicious food store process. 

Example 5.37. If we try to type Pn, we incur in problems similar 
to the previous example. In fact, the top-level delimitation of x 
requires applying rule [T-Del], which mandates the related channel 
type to be honest. Such type is: 

fpN {x) = T. T, . (c) . (a . d< . /xjv (a::) + b . /y„ (x)) 
where 

fxM (x) = pay . (rjf^, . ship-a + . ship-b) 

/y« (a;) = -r? . (ok . /x„ (x) + t . no) 
In case ofh orders, f},^ (x) takes the following transitions: 

/pjv (^) ^ > > > a • ok ■ /xjv (a::) + b . /y„ (x) 

/y« (a;) ok . /x„ (a;) + r . no -> . . . 
The corresponding transitions of the abstract process are: 
(0, (a;)) ^* (c, a . ^ . /x„ (a;) + b . /y„ (x)) 
-)•* (ok; pay.ship-b no, /y„ (a;)) 
= (ok; pay.ship-b © no, r7.(ok./x„(a::)-|-r.no)) 



In the last step, we have that T7.[ok.fxfj(x) + T.'noj is not ready 
for ok ; pay . ship-b ® no. Indeed, the prefix r? is not collapsed 
by =>. Therefore, fpj^{x) is not honest. 

We also have a similar negative result for the channel type: 

/pjv iv) = (cp) . payP . r . (r? . rv . /x„ (y) + rv . /y„ (j/)) 

Here, the unavoidable t? actions make the fp^ (if) reduct non- 
ready for the reduct ofCp after payP. As a result, Pn is untypeable. 

Example 5.38. Finally, let us consider the last food store imple- 
mentation, Ph- Let Pyh ^6 ^he process under delimitation of (y) 
in Yh{x). Processes Pyh and Xh{x) have the following channel 
types: 

fvH (y) = (cp) . payP I (cover . fxn (y) + r . (r? | cancel)) 
fvu (a:) = r . TV | (rv . /x„ (a:) r . (no | rv)) 
fxn (a:) = ok . pay . (r^, . ship-a + r^., . ship-b) 
fxH (y) = .fxH (*) = ^? • T'-' • (t'! ■ T-! + f"'.' ■ T-'.') 

The relevant transitions of the abstract processes above are 
shown in Fig. \I0\ By observing the abstract transitions we detect 
that fy^ (y) '-5 honest, hence we can apply rule [T-Del] to derive 
from the typing h Py,j ■ fvn ^ type for Yh{x). 

The process under delimitation in Ph is typeable as well, and it 
has the following channel type: 

fpH i^) = (c) ■ (a ■ fxH (a;) + b . /y^ {x)) 

By examining all the states of the transitions of the abstract process 
we obtain that fp^ {x) is honest. To do that, it is crucial to ensure 
that the relation allows to collapse the abstract prefixes 
rjjjj^v and Tjj;]^?. Since Ph is typeable, type safety guarantees 
that the food store is honest. 

6. Concluding Remarks and Related Work 

Building on CO2 we gave a type system that allows for the 
static checking of honesty of systems. The channels onto which 
a CO2 process interacts are typed with a behavioural type. Such 
type abstracts the actual prefixes of the process while mimicking 
the non-deterministic and parallel branching of the process as well 
as its recursive behaviour. Our typing enjoys the subject reduction 
(Th. I5.32t and progress properties (Th. 15.34b . More importantly, 
type safety establishes honesty of typeable processes, that is ty- 
peable processes honour their contracts in all contexts. 
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[A-FUSE] I 

[cp, payP I cover . fx^ {y) + t . (^tv \ cancel)) 



I [A-FuSE] 



(cp, payP I TV I cancel] 



^cover © cancel, cover . fxn (v) + ■ I cancel)) * ^cover © cancel, rv | cancel) 



Figure 10. Abstract process reductions for the honest food store (Yh{x) sub-process). The graph omits the r-r channel type transitions. 



The process calculus CO2 has been introduced in Qj], and in 0] 
it has been instantiated to a theory of bilateral contracts inspired 
by [11]. We refer the reader to 12J for a comparison between our 
contract theory and the one in lllll . In 0] a process A is honest 
when, for each session she is engaged in, A is not definitely cul- 
pable. That is, A eventually performs the actions her contract pre- 
scribes. The definition of honesty we adopt here is based on readi- 
ness rather than culpability and we conjecture that it is equivalent 
to the notion of honesty in |2]. The main advantage of this novel 
approach compared to | 2] is twofold. On the one hand, it allows 
for a simplification of the analysis of honesty. On the other hand, 
abstract honesty turns out to be decidable (Th. l5.llt since the static 
analysis featured by our type system amounts to check reachabiility 
is decidable for Petri nets 1 16]. 

In (3) (multiparty) asserted global types are used to adapt 
design-by-contract to distributed interactions. In our framework, 
a participant declares its contract independently of the others; a 
CO2 primitive (fuse) tries then to combine advertised contracts 
within a suitable agreement. In other words, one could think of our 
approach as based on orchestration rather than choreography. 

The approaches based on global types typically guarantee prop- 
erties like progress, deadlock-freedom, and session fidelity for pro- 
cesses typeable according to a local type obtained by projecting a 
(well-formed) global type (see e.g., jj, |5|, IT^ ). In such contexts 
decidability of typing implies the decidability of those properties. 

On the contrary, honesty is undecidable |2]. This is due to the 
fact that honesty is defined by quantifying on contexts that may 
contain adversaries, that is processes that violate their contracts. 
Instead, in the approaches based on global types, the correspon- 
dences between processes and the corresponding behavioural types 
are established for "trusted contexts" only. Namely, such properties 
hold true when no process misbehaves. To cope with "untrusted 
contexts", the approaches based on global types allow for the au- 
tomatic generation of monitors whereby interactions of processes 
are checked at runtime against their local contract (e.g.,|12, 13]). 
Such monitors have a "local" view of the computation, i.e. they 
can detect a violation but cannot, in general, single out the culpable 
component. In fact, a monitor cannot know if an expected mes- 
sage is not delivered because the partner is violating his contract, 
or because he is blocked on interactions with other participants. 
The contract theory considered here permits to single out culpable 
components during the computation. 

The problem of checking if a contract c representing the be- 
haviour of a service conforms to a role r of a given choreography 
H has been investigated in | 6]. Under suitable well-formed condi- 
tions, conformance of c is attained by establishing a should test- 
ing pre-order between c and the projection of H with respect to 
role r. Similar techniques have been used in |7] to define contract- 
based composition of services. Besides using a different technical 
approach not base on pre-orders, a main difference with respect to 
the approach in |6] and [7] is that they do not consider conformance 
in the presence of dishonest participants. Actually, these papers fo- 
cus on using the testing pre-order to determine if the abstract be- 



haviour of a service (i.e., its contract), comply with a role of the 
choreography. Instead, we are interested in establishing weather a 
process abides by its own contract regardless its execution context. 

Contracts for service-level agreement have been modelled in | 
as constraint-semirings. Such model is used in |8] for compiling 
clients and services so to guaranteed that, whener compatible, they 
progress harmoniously. This is orthogonal to our approach since 
our aim is not to rule out "inconsistent" executions, rather to blame 
participants that misbehave. 
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A says (a ; c © c') | B says (a . d + d') ^ ^"S"* ^^y^ ^ | g g^j^^g ready a.d [IntExt] 

A says (a ; c © c') | B says a ; d ^ ""^ ^ ^^^^^ ^ | g g^^^g readi/ a.d [IntInt] 
A says (a . c + c') | B sat/s (a . d + d') ^ ^^^^ ^ | g ^^^^ readi/ a.d [ExtExt] 

A 7 I r-i I A says a . I , 

A sat/s readt/ a. c | B says d Vt A says c | B says a [Rdy] 

a {bjjig/ 

A saj/s a [INTEXTFAIL] 

A sai/s a ; c © c I B says t)* ■ '^i ^ ^ ^'^V^ ^ I ^ ^'^f* 

{a} ^ {bi}igj 

A says a [IntIntFAIL] 

A S02/S a ; c © c I B says ©jgj bj ; dj »■ A soj/s E | B saj/s 

({a}U{aJigj) n {Bj : ie J} = 

A says a ;[ T"! I" [EXTEXTFAIL] 



A says (a . c + 5I]ig/ a^ . c^) | B saj/s J^^g / b; . d^ » A saj/s E \ B saj/s 



Figure 11. Semantics of contracts (s3Tnmetric rules for the actions of B omitted). In the first three rules, participants A and B can interact on 
the complementary actions a and a. In rule [IntExt], A follows the branch a in her internal sum and B is forced to commit to the corresponding 
branch a in his external stun: this is done by marking such branch as ready a while discarding all the other branches. By rule [Rdy], B will 
then perform his action in the subsequent step. Rule [IntInt] allows participants to interact when both make an internal choice provided 
that one of them (B in the rule) is a singleton, namely he can only commit to his unique branch. Were B exposing multiple branches, the 
transition would not be allowed, since B could pick a conflicting internal choice w.r.t. that of A. In rule [ExtExt], both participants expose 
external sums with complementary actions, and each of the two can choose a branch (unlike in the case [IntExt], where the internal choice 
has to move first). In the [*Fail] rules, the action chosen by A is not supported by B, therefore, A will reach the success state E, while B 
will fall into the failure state 0. We assume contracts are up-to the structural congruence defined as follows. The structural congruence = 
on contracts is the smallest equivalence relation that includes a-conversion of recursion variables, and satisfies rec X . c = c{''<=c ^■'^/x} 
and 0jg0 a, ; Ci = J2ie0 ^' ■ Empty sums (either internal or external) will be identified and denoted with 0. We do not omit trailing 
occurrences of 0. 
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